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Abstract 

We provide a proof of knowledge assumption that allows us to con- 
struct a three round zero-knowledge proof system for any language in 
NP. 



1 Introduction 

Goldwasser, Micali and Rackoff[5] denned a Zero-Knowledge Proof System. 
Brassard, Bhaum and Crepeau[3] later defined a Zero-Knowledge argument 
which differs from a Zero-Knowledge proof in that the prover is assumed to be 
computationally bounded. Goldreich and Krawczyk[4] proved that any language 
with a 3-round Black Box Zero-Knowledge proof or argument is in BPP. At the 
time of Goldreich and Krawczyk's paper all known Zero-Knowledge proofs and 
arguments achieved Black Box Zero-Knowledge. Hada and Tanaka[6] provided 
a 3-round Zero-Knowledge argument for every language in NP under a very 
strong version of the Diffie-Hellman assumption. 

We present a different assumption that can be used to prove the existence of 
3-round Zero-Knowledge proofs for every language in NP. Our work is based on 
the concept of an oblivious transfer channel proposed by Micali and Bellare[l]. 

2 The Assumption 

A proof of knowledge similar to the following is a commonly used in Zero- 
Knowledge Proofs. 

• PROVER: Sends (p, g, R, H) to VERIFIER where p is a prime of the 
form 2q—l and q is prime, g is a generator of Z*, R is a random element 
of Z* and H is a hash function whose range is {0, 1}*. 

• VERIFIER: Selects a random x and y in Z*. Flips a coin. If the coin 
comes up heads, he chooses the pair X = (g x ,Rg v ) if the coin comes up 
tails, he chooses the pair X = (Rg x ,g v ). 

• VERIFIER: Selects k pairs A t in the following manner. First select Xi 
and yt from Z*, then flip a coin to choose between A t = (g Xi ,Rg Vi ) and 
A t = (Rg Xi ,g Vi ). We say A t is constructed in the same manner as X 
if X = (g x ,Rg y ) and A t = (g Xi ,Rg yi ) or if X = (Rg x ,g y ) and X = 

(Rg x ,g y )- 

• VERIFIER: Let bi...b k = H(X, A u . . . , A k ). If b t = then set B t = 
(xi,yi). If bi = 1 and A t is constructed in the same manner as X then set 
Bi = (x + Xi,y + yt). Otherwise set B, = (x + yi,y + x$). 

• VERIFIER: Send (X, A x , . . . , A k , B x , . . . , B k ) to PROVER. 

• PROVER: Compute foj ... b k =H(X,A U ... ,A k ). Let X = (W,Z), A t = 
(Ci,Dt) and B t = (E^Fi). Accept if for each i either 6, = and A t = 
\g Ei ,Rg Fi ), h = and A t = {Rg Ei ,R Fi ), bi = 1 and {WC u ZDi) = 
(Rg Ei ,Rg Fi ) or b { = 1 and (WD h ZCi) = {Rg E ',Rg F '). 

Assumption 1 (Proof of Knowledge) For any polynomial time verifier, V, 
that outputs (X,A\,... ,A k ,B\,... ,B k ) such that the prover accepts in the 
above protocol, there exists a polynomial time verifier, V, who with probability 



1 — e outputs (X, Ai, . . . ,A k ,B\,... ,B k ,x,y) such that X = (g x , Rg y ) or X = 
(Rg x ,g y ) where e is a negligible function ofk. 

3 The Protocol 

Our protocol is based on Blum's protocol[2] for Hamiltonian Path. 

• PROVER: Sends (p, g, R, H) to VERIFIER where p is a prime of the 
form 2q — 1 and q is prime, g is a generator of Z*, r is a random element 
of Z* , R = g r and H is a hash function whose range is {0, 1}*. 

• VERIFIER: Selects a random x and y in Z*. Flips a coin. If the coin 
comes up heads, he chooses the pair X = (g x ,Rg v ) if the coin comes up 
tails, he chooses the pair X = (Rg x ,g y ). 

• VERIFIER: Selects k pairs A t in the following manner. First select Xi 
and yi from Z*, then flip a coin to choose between Ai = (g Xi ,Rg Vi ) and 
A t = (Rg Xi ,g Vi ). We say A t is constructed in the same manner as X 
if X = (g x ,Rg y ) and A t = (g Xi ,Rg yi ) or if X = (Rg x ,g y ) and X = 

(Rg x ,g y )- 

• VERIFIER: Let foj . . . b k = H(X, A u . . . , A k ). If 6* = then set B t = 
(xi,yi). If hi = 1 and A t is constructed in the same manner as X then set 
Bi = (x + Xi,y + yi). Otherwise set B, = (x + yi,y + Xi). 

• VERIFIER: Send [X, A x , . . . , A k , B x , . . . , B k ) to PROVER. 

• PROVER: Compute h . . . b k =H(X,A U ... ,A k ). Let X = (U,V), A t = 
(Ci,Di) and B t = (E^FA. Reject unless for each i either 6, = and 
Ai = (g Ei ,Rg Fi ), h = and A t = (Rg E ',R F <), b { = 1 and (UC h VDi) = 
{Rg Ei ,Rg Fi ) or b { = 1 and (UD h Vd) = (Rg Ei ,Rg Fi ). 

• PROVER: Pick a random z € Z*. Let N be the response to challenge 
in Blum's protocol. Let N\ be the response to challenge 1 in Blum's 
protocol. Encrypt N using a secure private-key encryption scheme with 
key U z . Encrypt N\ using a secure private key encryption scheme with 
key V z . Send g z and both encryptions to VERIFIER. 

• VERIFIER: If X = (g x ,Rg y ) decrypt the first encryption with key (g z ) x 
and accept if it is a proper response to challenge in the Blum protocol. 
If X = (Rg x ,g y ) decrypt the second encryption with key (g z ) y and accept 
if it is a proper response to challenge 1 in the Blum protocol. 

Theorem 1 The above protocol is a Zero-Knowledge Proof System for Hamil- 
tonian Path 



4 A Protocol Based on a Different Proof of Knowl- 
edge 

This protocol is also based on Blum's protocol[2] for Hamiltonian Path. It differs 
from the previous protocol in that it is based on the hardness of factoring instead 
of the hardness of discrete log. 

• PROVER: Sends (n, H) to VERIFIER where n is the product of two 
randomly chosen prime numbers and H is a hash function whose range is 
{0,1}*. 

• VERIFIER: Selects a random x in Z* n . Let X = x 2 mod n. 

• VERIFIER: Selects k random numbers w, in Z*. Let W, = w 2 mod n. 

• VERIFIER: Let foj . . . b k = H(X,W U ... ,W k ). Let B t = w iX f . 

• VERIFIER: Send (X,W U . .. ,W k ,B u . .. ,B k ,R) to PROVER, where R 
is a randomly chosen string. 

• PROVER: Compute bi...b k = H{X, W ly ... , W k ). Reject unless for each 
i, B 2 =WiX b <. 

• PROVER: Let y and z be the two square roots of X in Z*. Pick a 
sequence of k random strings i?,. Let K y be the k-bit string whose i th 
bit is < Ri,y > 1 . Similarly, let K z be the k-bit string whose i th bit is 
< Ri,z >. 

• PROVER: Let N be the response to challenge in Blum's protocol. Let 
iVi be the response to challenge 1 in Blum's protocol. Encrypt N < ^ y> 
using a secure private-key encryption scheme with key K y . Encrypt 
N<r z > usm g a secure private key encryption scheme with key K z . Send 
(Ri, ... ,R k ) and both encryptions to VERIFIER. 

• VERIFIER: Let K x be the k-bit string whose i th bit is < R t ,y >. At- 
tempt to decrypt both encryptions with key K x . Accept only if one of the 
decryptions is a correct response to challenge < R,x > in Blum's protocol. 

5 Conclusion 

We believe that this protocol is an improvement over the Hada Tanaka protocol 
for the following reasons: 

1. We feel that our assumption is more believable than the Strong Diffie- 
Hellman assumption used in the Hada Tanaka protocol because our as- 
sumption is based on a widely used Proof of Knowledge. 



1 Where < Rt,y > is the inner product of R{ and y 



2. We also prefer our Proof of Knowledge Assumption to the Strong DifHe- 
Hellman assumption because our assumption is really a class of assump- 
tions. Instead of starting with a proof of knowledge for discrete log, a 
protocol similar to ours could be created based on a different Proof of 
Knowledge. 

3. We believe that the proof that our protocol is a Zero-Knowledge Proof 
System is much simpler than the proof required for the Hada Tanaka 
protocol. 

4. The protocol that we present is a Zero-Knowledge Proof System. That is, 
it is sound even if the prover is computationally unbounded. 

5. In addition to the Strong DifHe Hellman assumption, the Hada Tanaka 
protocol required an assumption that Discrete Log is hard for all primes, 
p, of the form 2q+ 1. Our protocol requires us to assume only that Discrete 
Log is hard for a randomly chosen prime. 
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